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ACCESS CONTROL FOR RENTAL CARS 
DESCRIPTION 
BACKGROUND OF THE INVENTION 

Field of the Invention 

5 The present invention generally relates to a car rental system and, more 

particularly, to a car rental system in which cars are operated by digital keys 
instead of conventional metal keys. 
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01 Background Description 

U1 

nj 

K= In a typical car rental system today, car keys are left in cars when cars 

j j 10 are waiting to be picked up by customers or when cars are dropped off by 

J.. customers at a gated parking lot. Consequently, keys are vulnerable to be 

Qj stolen or copied. It is very costly to disable a stolen key-usually an authorized 

car dealer or locksmith needs to be involved. It is also very dangerous when a 



^ car key is copied by a malicious person who can follow the car when it exits 

y 

15 the parking lot, and steal the car when it is unattended. 

U.S. Patent Nos. 5,289,369 to Hirshberg and 5,812,070 to Tagami et 
al. disclose integrated circuit (IC) card based access control methods where 
each car is equipped with a IC card reader which can communicate with a 
cental station by wireless communications. The cards in these patents store the 

20 identifications (IDs) of the renters carrying the cards. Upon being inserted into 
a card reader on a rental car, the ID stored in the card is read out and sent to 
the cental station to check for proper authorization. In case of outage of 
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wireless communications, the system will fail to work. 

U.S. Patent No. 4,477,874 to Dcuta et al. discloses an off-line access 
control method based on the secret codes stored on a car and a card. Basically, 
a car stores two secret codes, one for master and the other for slave. A card 
that carries the master secret has full control of the car, whereas the card 
carrying the slave secret code has limited control For example, a slave card 
only authorizes the driver to start the engine but not to open the trunk lid. In 
such a system, if the master card is lost, the car reader has to be re- 
programmed with a new master secret code. This system is not suitable for a 
rental system since the reader on the car needs to be re-programmed for every 
renter. 

SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to provide a car rental 
system which does not use conventional metal car keys. 

It is another object of the invention to provide a car rental system 
where network connection from cars to a central station is not required to 
check whether a renter has the proper authorization to operate a car. 

It is yet another object of the invention to provide a car rental system 
where there is no pre-processing to be done on the car to be rented for every 
rental transaction. 

According to the invention, the cars of the car rental system can be 
made operable by having a renter present a digital key issued from the car 
rental system. The digital key specifies the starting date and time of a given 
rental transaction, and the identification of the car the key is for. The digital 
key is further signed by the car rental system for authenticity. The way a 
digital key gets into a renter's hand is as follows. A prospective renter makes 
online reservation over the Web (i.e., the World Wide Web portion of the 

2000-0385US1 



Internet) and downloads into a portable storage device a digital key which can 
be used to operate the reserved car on the day the reservation is made for. On 
the pickup day, the renter goes to the car and inserts the portable storage 
device into a slot on the car. Upon successful verification of the digital key, 
5 the car is enabled and the renter can keep the car until he or she wants to 

return the car. The return process starts by having the renter obtain a 
invalidated digital key from the car. Once the rental car invalidates the digital 
key provided by the renter, the renter can no longer operate the rental car. 
Since the in-car controller is able to decipher the given authorization 
10 information, there is no need to re-program the in-car controller for each 

renter. 

p According to another aspect of the invention, the renter will be held 

^ liable for the rental car until he or she presents the invalidated digital key to 

Ul the central station of the car rental system. To facilitate this, the car rental 

iU 

Li 15 system will set up kiosks with readers to interface with the portable storage 

/jjj carried by the renters. The kiosks can be stationary which have a wired 

e network connection to the cental station of the car rental system, or they can 

P 

gj be mobile (e.g., located on a trailer, a van, a truck) which have a wireless 

W network connection to the cental station. 

Li 

□ 20 To prevent a lost digital key from being used by unauthorized parties, 

w a digital key can contain information such as a personal identification number 

(PIN) or a hash of the PIN of the authorized renter. For extra protection, the 
renter can opt to include his or her PEN in the digital key when the key is 
created by the car rental system. 
25 The parking lot of the car rental system according to the invention can 

be operated without security personnel checking for proper authorization, 
hence saving labor cost and eliminating human efforts. With this advantage, 
the car rental system can open up more satellite rental sites which can operate 
around the clock. This would dramatically improve the service offering to the 
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renters and in turn encourage more rental opportunities. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The foregoing and other objects, aspects and advantages will be better 
understood from the following detailed description of a preferred embodiment 
of the invention with reference to the drawings, in which: 

Figure 1 is a block diagram showing the basic components of the car 
rental system; 

Figure 2 is a flow diagram for the reservation process; 

Figure 3 is a block diagram of the in-car access control system; 

Figure 4 is a flow diagram for the verification process implemented on 
the cars; 

Figure 5 is a flow diagram for the car return process implemented on 
the cars; and 

Figure 6 is a flow diagram for the car return process implemented on a 

kiosk. 

DETAILED DESCRIPTION OF A PREFERRED 
EMBODIMENT OF THE INVENTION 

Referring now to the drawings, and more particularly to Figure 1, there 
is shown a block diagram illustrating the basic components of the invention. 
These include a computing system 10, a portable storage device 12, and an 
access control device 14 with a interface 16 to a portable storage inside a 
rental car 160. 

The computing system 10 is used to make a reservation according to 
the needs of the renter. The computing system is also used to create and store 
digital keys for access to a rental car. The computing system may be located 
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within a kiosk 140 at a car rental agency. The computing system may be a 
simple terminal connected through a network (i.e., an intranet or the Internet) 
120 to a central reservation server 1 10 which accepts reservation requests, 
checks the availability of cars, and creates digital keys for access to the 
reserved cars. Alternatively, a personal computer (PC) 130 located at the 
home, office or other location may be used as a terminal to connect to the 
central reservation server 110. Either the computing system in the kiosk or the 
PC may be provided with means to download digital keys to a portable storage 
device 12. 

The portable storage device is preferably a smart card issued by a car 
rental agency. Other memory devices may be used such as, for example, a 
Personal Digital Assistant (PDA), a memory card (such as the Personal 
Computer Memory Card International Association (PCMCIA) card), or a 
diskette. The manner in which a digital key is downloaded is entirely 
conventional. 



S^> Ir^c^ of a smart card, the renter then carries the smart card 12 to 
the car which contaio^a access control device 14. The card is inserted into the 
reader slot to provide the acfcess^control device 14 with the digital key 
generated by the computing system lDSQie access control device 14 then 
makes decision on whether or not to give the cfcKLtolder access to the car, 
according to the date and time and car ID mformationilHfre digital key. 

Figure 2 is a flow diagram showing the reservation process executed 
by the reservation server 110. The reservation server 1 10 in the first step 202 
authenticates the user visiting the reservation Web site. Upon the reservation 
server successfully authenticating the user (either by name and password or by 
a security token such as a smart card), the user is prompted for the date, time, 
and location for pickup and return, and the type of car in step 204. Upon the 
user submitting the request, the reservation server receives and processes the 
request in step 206. The server 1 10 checks the availability in step 208. If a 
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suitable car is not available, the user is prompted to file a reservation request 
again in step 204. If there is a car available, the server 110 starts to create a 
digital key in steps 210 to 216. Specifically, the server 110 obtains car and 
user information (e.g., car ID and user's PIN) in step 210. The server 110 
computes the hash of user's PIN in step 212. The server 1 10 combines car and 
user information with the hashed PIN in step 214. The server 110 digitally 
signs the combined information using the private key of the reservation server 
1 10 in step 216. The server then responds to the user with a Web page where a 
hyperlink points to the signed information (i.e., digital key) in step 218. 
Finally the user downloads the signed information and saves it into a portable 
storage device 12 in step 220. 

Figure 3 is a block diagram for the in-car access control system. The 
system includes an access controller 330, an electronic control unit 320, and 
actuators 310. The access controller 330 on one hand is connected to a smart 
card slot 342 for accepting user's smart card 12, a keypad for accepting user's 
PIN, and an output device such as light emitting diodes (LEDs) for signaling 
an error to the user. The access controller 330 on the other hand interfaces 
with a electronic control unit (ECU) 320 which is connected to actuators 310 
in charge of actuating various in-car instruments such as doors 302, engine 
304, and trunk lid 306. 

Figure 4 is a flow diagram for the in-car access controller 330. Upon 
detecting a smart card inserted into the smart card slot 16, the access controller 
330 obtains the digital key stored on the smart card in step 402. The access 
controller 330 checks whether the digital key is already invalidated in step 
404. If so, the access controller 330 signals an error to the smart card holder in 
step 420. If the digital key is not invalidated yet, the access controller 330 
verifies the signature on the digital key in step 406. If the signature is not an 
authentic one from the reservation server 110, the card holder is signaled an 
error in step 420. If the signature is genuine in step 408, the user is prompted 
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for PIN in step 410. The controller then checks for correctness of the PIN in 
step 412. If the input PIN matches the one in the smart card, the access 
controller 330 activates the instruments which the user are authorized to have 
access to in step 414. If the input PIN is incorrect in step 412, the user is 
5 prompted again for the correct PIN. If the input PIN fails to match for three 

trials in step 416, the access controller 330 invalidates the digital key in step 
418 by making a record in its storage device. 

Figure 5 shows a flow diagram for the in-car access controller 330 
upon receiving the renter's request to return the car. The user is prompted for 
10 inserting his or her smart card into the smart card slot in step 502 if not 

already done so. The access controller 330 obtains car status information such 
q as fuel level, mileage, current time and car ED from the ECU 320 in step 504. 

jjj The access controller proceeds to create a return packet by combining car 

yi status information and the current digital key in step 506. It then signs the 

nj 

15 return packet using the private key of the car in step 508. The access controller 
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330 appends the car ID to the signed return packet in step 510. It then saves 
the signed return packet into the smart card in step 512. Finally, the access 
controller 330 invalidates the current digital key in step 514 by making a 



t s J record in its storage device. 

p 20 Figure 6 shows a flow diagram for the kiosk 140 upon receiving 

'* renter's request to return the car. The kiosk 140 first prompts the user to insert 

his or her smart card in step 602. The kiosk 140 tries to retrieve the return 
packet from the smart card in step 604. If the return packet is not found in step 
606, the user is notified to get the return packet from the car first in step 616. 
25 If the return packet is present, the kiosk verifies the signature on the return 

packet in step 608. If the signature is not found to be an authentic one from the 
car to be returned in step 610, the user is advised to contact customer service 
for assistance in step 618. If the signature is found to be genuine in step 610, 
the kiosk 140 updates the car status stored at the reservation server 1 10 in step 
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612. The kiosk 140 finally prints a receipt for the user in step 614. 

While the invention has been described in terms of a single preferred 
embodiment, those skilled in the art will recognize that the invention can be 
practiced with modification within the spirit and scope of the appended 
5 claims. 
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